2:47 p.m.
On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
>> On Saturday 28 February 2009, Dominick Grift wrote:
>> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
>> >> Greetings all;
>> >>
>> >> I have just upgraded then updated as much as possible, an F8
>
>install to
>
>> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
>
>F10 will
>
>> >> run without console-kit-daemon I find, but I went so far as to
>
>touch
>
>> >> /.autorelabel & reboot & leave it to contemplate its sins for
an
>
>hour or
>
>> >> so as there is nearly 2TB of drives here. Didn't help.
>> >>
>> >> So Now I have selinux disabled, and everything it working. Can
>
>this be
>
>> >> addressed?
>> >
>> >Can you show use the avc denials related to your issues? avc denials
>
>are
>
>> >sent to /var/log/audit/audit.log and can be retrieved with the
>
>ausearch
>
>> >command. For example use: ausearch -m avc -ts today, to retrieve
>
>today's
>
>> >avc denials.
>>
>> None today, I turned it off, yesterdays is attached.
>>
>> >You state that you updated as much as possible. What did you not
>
>update?
>
>> About 70 packages are left, all the java stuff cuz I've installed from
>
>Sun,
>
>> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
>
>up by
>
>> hand and some of the menus are still fubar) and anytime I do a -devel,
>
>it
>
>> barfs over strigi. What the heck does that thing do anywho?
>>
>> I also am not running the F10 kernel cuz I have to set stakes and call
>
>a
>
>> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
>
>and am
>
>> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
>
>says
>
>> 275-300 fps and I can tolerate it. Anyway, from the yumex screen:
>>
>> 14:05:14 : Error in Dependency Resolution
>> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
>
>by
>
>> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
>
>(rpmfusion-free-
>
>> updates)
>> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
>
>needed by
>
>> package
>
>kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
>
>> (rpmfusion-nonfree-updates)
>> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
>
>strigi-
>
>> devel-0.5.11-1.fc10.i386 (fedora)
>>
>> I might be able to get a list of updates (if you need them) not done
>
>from yum.
>
>> I use yumex most of the time.
>>
>> Thanks Dominick
>
>No that is fine, thanks. Which version of selinux-policy is currently
>installed?
>
>I picked a few of the denials out of there and both were allowed in the
>rawhide policy.
>
>This leads me to think that either you are running a old version of the
>selinux-policy or that the fixes in rawhide policy have not been pushed
>to Fedora 10 policy yet.
>
I'll go for the latter as there isn't an update available.
[root@coyote Documents]# rpm -qa|grep policy
checkpolicy-2.0.16-3.fc10.i386
selinux-policy-3.5.13-18.fc10.noarch
policycoreutils-2.0.57-11.fc10.i386
policycoreutils-gui-2.0.57-11.fc10.i386
selinux-policy-targeted-3.5.13-18.fc10.noarch
>I either case you can create custom policies to allow these denials.
>
>A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
>mydenials; /usr/sbin/semodule -i mydenials.pp
And that upchucks. It generates mydenials.pp, then:
[root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
Looks like I may be missing something?
Can you give me to output of sestatus?
you could try /usr/sbin/semodule -s targeted -i mydenials.pp
You might also consider /usr/sbin/semodule -b base.pp (this should
replace the base module)
man semodule
This looks like something that could have gone wrong during the upgrade.
It claims that a MLS base module is installed but you have installed
selinux-policy-targeted
you should really c.c. fedora-selinux-list so that knowledgeable people
like dwalsh can give suggestions as well.
>caution: i did not review all denials in your list, however most
look
>like they should be allowed.
>
>You should not let issues like these persuade you to disable SELinux.
>You can also run SELinux is permissive mode which will act as an
>intrusion detection system but will not prevent policy violations.
I am not terribly paranoid about running selinux, Dominick, I have all my
local network behind an x86 version of dd-wrt & its locked up pretty tight.
selinux is last ditch. In 2 years, no one has gotten past dd-wrt that I
didn't first give them the password to it. I see my running it as more of the
playing of a role, that of the canary in the coal mine if you will.
>hth , Dominick
3:09 p.m.
New subject: f10 vs selinux again.
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
> >> >> Greetings all;
> >> >>
> >> >> I have just upgraded then updated as much as possible, an F8
> >
> >install to
> >
> >> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
> >
> >F10 will
> >
> >> >> run without console-kit-daemon I find, but I went so far as to
> >
> >touch
> >
> >> >> /.autorelabel & reboot & leave it to contemplate its sins
for an
> >
> >hour or
> >
> >> >> so as there is nearly 2TB of drives here. Didn't help.
> >> >>
> >> >> So Now I have selinux disabled, and everything it working. Can
> >
> >this be
> >
> >> >> addressed?
> >> >
> >> >Can you show use the avc denials related to your issues? avc denials
> >
> >are
> >
> >> >sent to /var/log/audit/audit.log and can be retrieved with the
> >
> >ausearch
> >
> >> >command. For example use: ausearch -m avc -ts today, to retrieve
> >
> >today's
> >
> >> >avc denials.
> >>
> >> None today, I turned it off, yesterdays is attached.
> >>
> >> >You state that you updated as much as possible. What did you not
> >
> >update?
> >
> >> About 70 packages are left, all the java stuff cuz I've installed from
> >
> >Sun,
> >
> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix
that
> >
> >up by
> >
> >> hand and some of the menus are still fubar) and anytime I do a -devel,
> >
> >it
> >
> >> barfs over strigi. What the heck does that thing do anywho?
> >>
> >> I also am not running the F10 kernel cuz I have to set stakes and call
> >
> >a
> >
> >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
> >
> >and am
> >
> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
> >
> >says
> >
> >> 275-300 fps and I can tolerate it. Anyway, from the yumex screen:
> >>
> >> 14:05:14 : Error in Dependency Resolution
> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
> >
> >by
> >
> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
> >
> >(rpmfusion-free-
> >
> >> updates)
> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
> >
> >needed by
> >
> >> package
> >
> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
> >
> >> (rpmfusion-nonfree-updates)
> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
> >
> >strigi-
> >
> >> devel-0.5.11-1.fc10.i386 (fedora)
> >>
> >> I might be able to get a list of updates (if you need them) not done
> >
> >from yum.
> >
> >> I use yumex most of the time.
> >>
> >> Thanks Dominick
> >
> >No that is fine, thanks. Which version of selinux-policy is currently
> >installed?
> >
> >I picked a few of the denials out of there and both were allowed in the
> >rawhide policy.
> >
> >This leads me to think that either you are running a old version of the
> >selinux-policy or that the fixes in rawhide policy have not been pushed
> >to Fedora 10 policy yet.
>
> I'll go for the latter as there isn't an update available.
> [root@coyote Documents]# rpm -qa|grep policy
> checkpolicy-2.0.16-3.fc10.i386
> selinux-policy-3.5.13-18.fc10.noarch
> policycoreutils-2.0.57-11.fc10.i386
> policycoreutils-gui-2.0.57-11.fc10.i386
> selinux-policy-targeted-3.5.13-18.fc10.noarch
>
> >I either case you can create custom policies to allow these denials.
> >
> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
> >mydenials; /usr/sbin/semodule -i mydenials.pp
>
> And that upchucks. It generates mydenials.pp, then:
> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule: Failed!
>
> Looks like I may be missing something?
Can you give me to output of sestatus?
you could try /usr/sbin/semodule -s targeted -i mydenials.pp
Fails exactly the same. Does selinux=disabled screw with that?
You might also consider /usr/sbin/semodule -b base.pp (this should
replace the base module)
Are you sure I want to do that?
man semodule
This looks like something that could have gone wrong during the upgrade.
It won't be the first time. When I went from f6 to f8, lots of stuff was
busted, stuff the guru's said could not happen, but did to me. One whole
section of the install was skipped & I had to go pull in about 200 packages by
hand.
It claims that a MLS base module is installed but you have installed
selinux-policy-targeted
And that is how I'm normally configured.
you should really c.c. fedora-selinux-list so that knowledgeable
people
like dwalsh can give suggestions as well.
Duh, sorry. Your reply showed up in the list folder so I didn't hit reply-
all, added now.
> >caution: i did not review all denials in your list, however
most look
> >like they should be allowed.
> >
> >You should not let issues like these persuade you to disable SELinux.
> >You can also run SELinux is permissive mode which will act as an
> >intrusion detection system but will not prevent policy violations.
>
> I am not terribly paranoid about running selinux, Dominick, I have all my
> local network behind an x86 version of dd-wrt & its locked up pretty
> tight. selinux is last ditch. In 2 years, no one has gotten past dd-wrt
> that I didn't first give them the password to it. I see my running it as
> more of the playing of a role, that of the canary in the coal mine if you
> will.
>
> >hth , Dominick
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Let us be charitable, and call it a misleading feature :-)
-- Larry Wall in <2609(a)jato.Jpl.Nasa.Gov>
3:15 p.m.
New subject: f10 vs selinux again.
On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
>> On Saturday 28 February 2009, Dominick Grift wrote:
>> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
>> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
>> >> >> Greetings all;
>> >> >>
>> >> >> I have just upgraded then updated as much as possible, an F8
>> >
>> >install to
>> >
>> >> >> F10. selinux is now denying ConsoleKit and friends, and
awstats.
>> >
>> >F10 will
>> >
>> >> >> run without console-kit-daemon I find, but I went so far as
to
>> >
>> >touch
>> >
>> >> >> /.autorelabel & reboot & leave it to contemplate its
sins for an
>> >
>> >hour or
>> >
>> >> >> so as there is nearly 2TB of drives here. Didn't help.
>> >> >>
>> >> >> So Now I have selinux disabled, and everything it working.
Can
>> >
>> >this be
>> >
>> >> >> addressed?
>> >> >
>> >> >Can you show use the avc denials related to your issues? avc
denials
>> >
>> >are
>> >
>> >> >sent to /var/log/audit/audit.log and can be retrieved with the
>> >
>> >ausearch
>> >
>> >> >command. For example use: ausearch -m avc -ts today, to retrieve
>> >
>> >today's
>> >
>> >> >avc denials.
>> >>
>> >> None today, I turned it off, yesterdays is attached.
>> >>
>> >> >You state that you updated as much as possible. What did you not
>> >
>> >update?
>> >
>> >> About 70 packages are left, all the java stuff cuz I've installed
from
>> >
>> >Sun,
>> >
>> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix
that
>> >
>> >up by
>> >
>> >> hand and some of the menus are still fubar) and anytime I do a -devel,
>> >
>> >it
>> >
>> >> barfs over strigi. What the heck does that thing do anywho?
>> >>
>> >> I also am not running the F10 kernel cuz I have to set stakes and call
>> >
>> >a
>> >
>> >> surveyer to measure screen scrolling speed, so I'm running
2.6.28.7
>> >
>> >and am
>> >
>> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
>> >
>> >says
>> >
>> >> 275-300 fps and I can tolerate it. Anyway, from the yumex screen:
>> >>
>> >> 14:05:14 : Error in Dependency Resolution
>> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
>> >
>> >by
>> >
>> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
>> >
>> >(rpmfusion-free-
>> >
>> >> updates)
>> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
>> >
>> >needed by
>> >
>> >> package
>> >
>> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
>> >
>> >> (rpmfusion-nonfree-updates)
>> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
>> >
>> >strigi-
>> >
>> >> devel-0.5.11-1.fc10.i386 (fedora)
>> >>
>> >> I might be able to get a list of updates (if you need them) not done
>> >
>> >from yum.
>> >
>> >> I use yumex most of the time.
>> >>
>> >> Thanks Dominick
>> >
>> >No that is fine, thanks. Which version of selinux-policy is currently
>> >installed?
>> >
>> >I picked a few of the denials out of there and both were allowed in the
>> >rawhide policy.
>> >
>> >This leads me to think that either you are running a old version of the
>> >selinux-policy or that the fixes in rawhide policy have not been pushed
>> >to Fedora 10 policy yet.
>>
>> I'll go for the latter as there isn't an update available.
>> [root@coyote Documents]# rpm -qa|grep policy
>> checkpolicy-2.0.16-3.fc10.i386
>> selinux-policy-3.5.13-18.fc10.noarch
>> policycoreutils-2.0.57-11.fc10.i386
>> policycoreutils-gui-2.0.57-11.fc10.i386
>> selinux-policy-targeted-3.5.13-18.fc10.noarch
>>
>> >I either case you can create custom policies to allow these denials.
>> >
>> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
>> >mydenials; /usr/sbin/semodule -i mydenials.pp
>>
>> And that upchucks. It generates mydenials.pp, then:
>> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
>> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
>> libsemanage.semanage_link_sandbox: Link packages failed
>> /usr/sbin/semodule: Failed!
>>
>> Looks like I may be missing something?
>
>Can you give me to output of sestatus?
>
>you could try /usr/sbin/semodule -s targeted -i mydenials.pp
Fails exactly the same. Does selinux=disabled screw with that?
Well you should have SELinux enabled when you install the module.
Enable it first.
>
>You might also consider /usr/sbin/semodule -b base.pp (this should
>replace the base module)
Are you sure I want to do that?
Not totally sure. No. First enable SELinux. Then try to install the
policy module again. If that does not work consider replacing base.pp.
The error suggests that base.pp is for MLS policy. This should not be
the case.
>man semodule
>
>This looks like something that could have gone wrong during the upgrade.
It won't be the first time. When I went from f6 to f8, lots of stuff was
busted, stuff the guru's said could not happen, but did to me. One whole
section of the install was skipped & I had to go pull in about 200 packages by
hand.
>It claims that a MLS base module is installed but you have installed
>selinux-policy-targeted
And that is how I'm normally configured.
>you should really c.c. fedora-selinux-list so that knowledgeable people
>like dwalsh can give suggestions as well.
Duh, sorry. Your reply showed up in the list folder so I didn't hit reply-
all, added now.
>> >caution: i did not review all denials in your list, however most look
>> >like they should be allowed.
>> >
>> >You should not let issues like these persuade you to disable SELinux.
>> >You can also run SELinux is permissive mode which will act as an
>> >intrusion detection system but will not prevent policy violations.
>>
>> I am not terribly paranoid about running selinux, Dominick, I have all my
>> local network behind an x86 version of dd-wrt & its locked up pretty
>> tight. selinux is last ditch. In 2 years, no one has gotten past dd-wrt
>> that I didn't first give them the password to it. I see my running it as
>> more of the playing of a role, that of the canary in the coal mine if you
>> will.
>>
>> >hth , Dominick
5:18 p.m.
New subject: f10 vs selinux again.
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
> >> >> >> Greetings all;
> >> >> >>
> >> >> >> I have just upgraded then updated as much as possible, an
F8
> >> >
> >> >install to
> >> >
> >> >> >> F10. selinux is now denying ConsoleKit and friends, and
awstats.
> >> >
> >> >F10 will
> >> >
> >> >> >> run without console-kit-daemon I find, but I went so far
as to
> >> >
> >> >touch
> >> >
> >> >> >> /.autorelabel & reboot & leave it to contemplate
its sins for an
> >> >
> >> >hour or
> >> >
> >> >> >> so as there is nearly 2TB of drives here. Didn't
help.
> >> >> >>
> >> >> >> So Now I have selinux disabled, and everything it working.
Can
> >> >
> >> >this be
> >> >
> >> >> >> addressed?
> >> >> >
> >> >> >Can you show use the avc denials related to your issues? avc
> >> >> > denials
> >> >
> >> >are
> >> >
> >> >> >sent to /var/log/audit/audit.log and can be retrieved with the
> >> >
> >> >ausearch
> >> >
> >> >> >command. For example use: ausearch -m avc -ts today, to
retrieve
> >> >
> >> >today's
> >> >
> >> >> >avc denials.
> >> >>
> >> >> None today, I turned it off, yesterdays is attached.
> >> >>
> >> >> >You state that you updated as much as possible. What did you
not
> >> >
> >> >update?
> >> >
> >> >> About 70 packages are left, all the java stuff cuz I've
installed
> >> >> from
> >> >
> >> >Sun,
> >> >
> >> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to
fix that
> >> >
> >> >up by
> >> >
> >> >> hand and some of the menus are still fubar) and anytime I do a
> >> >> -devel,
> >> >
> >> >it
> >> >
> >> >> barfs over strigi. What the heck does that thing do anywho?
> >> >>
> >> >> I also am not running the F10 kernel cuz I have to set stakes and
> >> >> call
> >> >
> >> >a
> >> >
> >> >> surveyer to measure screen scrolling speed, so I'm running
2.6.28.7
> >> >
> >> >and am
> >> >
> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now
> >> >> glxgears
> >> >
> >> >says
> >> >
> >> >> 275-300 fps and I can tolerate it. Anyway, from the yumex screen:
> >> >>
> >> >> 14:05:14 : Error in Dependency Resolution
> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is
needed
> >> >
> >> >by
> >> >
> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
> >> >
> >> >(rpmfusion-free-
> >> >
> >> >> updates)
> >> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686
is
> >> >
> >> >needed by
> >> >
> >> >> package
> >> >
> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
> >> >
> >> >> (rpmfusion-nonfree-updates)
> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by
package
> >> >
> >> >strigi-
> >> >
> >> >> devel-0.5.11-1.fc10.i386 (fedora)
> >> >>
> >> >> I might be able to get a list of updates (if you need them) not
done
> >> >
> >> >from yum.
> >> >
> >> >> I use yumex most of the time.
> >> >>
> >> >> Thanks Dominick
> >> >
> >> >No that is fine, thanks. Which version of selinux-policy is currently
> >> >installed?
> >> >
> >> >I picked a few of the denials out of there and both were allowed in
> >> > the rawhide policy.
> >> >
> >> >This leads me to think that either you are running a old version of
> >> > the selinux-policy or that the fixes in rawhide policy have not been
> >> > pushed to Fedora 10 policy yet.
> >>
> >> I'll go for the latter as there isn't an update available.
> >> [root@coyote Documents]# rpm -qa|grep policy
> >> checkpolicy-2.0.16-3.fc10.i386
> >> selinux-policy-3.5.13-18.fc10.noarch
> >> policycoreutils-2.0.57-11.fc10.i386
> >> policycoreutils-gui-2.0.57-11.fc10.i386
> >> selinux-policy-targeted-3.5.13-18.fc10.noarch
> >>
> >> >I either case you can create custom policies to allow these denials.
> >> >
> >> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow
-M
> >> >mydenials; /usr/sbin/semodule -i mydenials.pp
> >>
> >> And that upchucks. It generates mydenials.pp, then:
> >> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS
> >> base. libsemanage.semanage_link_sandbox: Link packages failed
> >> /usr/sbin/semodule: Failed!
> >>
> >> Looks like I may be missing something?
> >
> >Can you give me to output of sestatus?
This is after the reboot/relabel,
using this /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enabeled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
[root@coyote radeon]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: error (Success)
Policy version: 24
Policy from config file: targeted
and that looks completely fubar to me. But since its 'permissive',
consolekit is running, but sealert is popping up about every 30 seconds.
Its fussing about console-kit-history now. WTH?
> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp
>
> Fails exactly the same. Does selinux=disabled screw with that?
Well you should have SELinux enabled when you install the module.
Enable it first.
> >You might also consider /usr/sbin/semodule -b base.pp (this should
> >replace the base module)
ohhkayy
Turned it back on, rebooted, relabeled, and:
[root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
[root@coyote Documents]# /usr/sbin/semodule -b base.pp
/usr/sbin/semodule: Could not read file 'base.pp': No such file or directory
[root@coyote Documents]# locate base.pp
/etc/selinux/targeted/modules/active/base.pp
/usr/share/selinux/targeted/base.pp.bz2
[root@coyote targeted]# ls -l `locate base.pp`
-rw------- 1 root root 16771501 2009-02-26 18:38
/etc/selinux/targeted/modules/active/base.pp
-rw-r--r-- 1 root root 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2
So which one is right? I'm getting a headache. :(
So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and overwrote
the /etc/selinux/targeted/modules/active/base.pp with it, it was about half
the size. I think this is the same error again.
[root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
And that bunzip2 operation of course generated this:
[root@coyote Documents]# rpm -V `rpm -qa|grep targeted`
missing /usr/share/selinux/targeted/base.pp.bz2
So I did a bzip2 -k base.pp, and now rpm -V is happy again.
Sounds like I need to manually nuke whats in etc and force
rpm to re-install? Unforch, /var/cache/yum is devoid of any
F10 files, I just checked.
Your turn coach. :)
Not totally sure. No. First enable SELinux. Then try to install the
policy module again. If that does not work consider replacing base.pp.
The error suggests that base.pp is for MLS policy. This should not be
the case.
> >man semodule
> >
> >This looks like something that could have gone wrong during the upgrade.
>
> It won't be the first time. When I went from f6 to f8, lots of stuff was
> busted, stuff the guru's said could not happen, but did to me. One whole
> section of the install was skipped & I had to go pull in about 200
> packages by hand.
>
> >It claims that a MLS base module is installed but you have installed
> >selinux-policy-targeted
>
> And that is how I'm normally configured.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Hey dol! merry dol! ring a dong dillo!
Ring a dong! hop along! fal lal the willow!
Tom Bom, jolly Tom, Tom Bombadillo!
-- J. R. R. Tolkien
5:27 p.m.
New subject: f10 vs selinux again.
On Feb 28, 2009, at 5:18 PM, Gene Heskett wrote:
...
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enabeled
enabeled (other than being misspelled) is not a valid choice
(enforcing, permissive, disabled)
...
[root@coyote radeon]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: error (Success)
because the mode from the config file is not correct
joe
6:06 p.m.
New subject: f10 vs selinux again.
On Saturday 28 February 2009, Joe Nall wrote:
On Feb 28, 2009, at 5:18 PM, Gene Heskett wrote:
> ...
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=enabeled
enabeled (other than being misspelled) is not a valid choice
(enforcing, permissive, disabled)
Duh, by George you're right. But I can't see fixing that till we get the
base.pp problem fixed.
> ...
> [root@coyote radeon]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: error (Success)
because the mode from the config file is not correct
joe
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
I either want less decadence or more chance to participate in it.
5:46 p.m.
New subject: f10 vs selinux again.
On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
>> On Saturday 28 February 2009, Dominick Grift wrote:
>> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
>> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
>> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
>> >> >> >> Greetings all;
>> >> >> >>
>> >> >> >> I have just upgraded then updated as much as
possible, an F8
>> >> >
>> >> >install to
>> >> >
>> >> >> >> F10. selinux is now denying ConsoleKit and friends,
and awstats.
>> >> >
>> >> >F10 will
>> >> >
>> >> >> >> run without console-kit-daemon I find, but I went so
far as to
>> >> >
>> >> >touch
>> >> >
>> >> >> >> /.autorelabel & reboot & leave it to
contemplate its sins for an
>> >> >
>> >> >hour or
>> >> >
>> >> >> >> so as there is nearly 2TB of drives here. Didn't
help.
>> >> >> >>
>> >> >> >> So Now I have selinux disabled, and everything it
working. Can
>> >> >
>> >> >this be
>> >> >
>> >> >> >> addressed?
>> >> >> >
>> >> >> >Can you show use the avc denials related to your issues?
avc
>> >> >> > denials
>> >> >
>> >> >are
>> >> >
>> >> >> >sent to /var/log/audit/audit.log and can be retrieved with
the
>> >> >
>> >> >ausearch
>> >> >
>> >> >> >command. For example use: ausearch -m avc -ts today, to
retrieve
>> >> >
>> >> >today's
>> >> >
>> >> >> >avc denials.
>> >> >>
>> >> >> None today, I turned it off, yesterdays is attached.
>> >> >>
>> >> >> >You state that you updated as much as possible. What did
you not
>> >> >
>> >> >update?
>> >> >
>> >> >> About 70 packages are left, all the java stuff cuz I've
installed
>> >> >> from
>> >> >
>> >> >Sun,
>> >> >
>> >> >> I've nuked fedora's firefox cuz I already had 3.0.6
(had to fix that
>> >> >
>> >> >up by
>> >> >
>> >> >> hand and some of the menus are still fubar) and anytime I do
a
>> >> >> -devel,
>> >> >
>> >> >it
>> >> >
>> >> >> barfs over strigi. What the heck does that thing do anywho?
>> >> >>
>> >> >> I also am not running the F10 kernel cuz I have to set stakes
and
>> >> >> call
>> >> >
>> >> >a
>> >> >
>> >> >> surveyer to measure screen scrolling speed, so I'm running
2.6.28.7
>> >> >
>> >> >and am
>> >> >
>> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now
>> >> >> glxgears
>> >> >
>> >> >says
>> >> >
>> >> >> 275-300 fps and I can tolerate it. Anyway, from the yumex
screen:
>> >> >>
>> >> >> 14:05:14 : Error in Dependency Resolution
>> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is
needed
>> >> >
>> >> >by
>> >> >
>> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
>> >> >
>> >> >(rpmfusion-free-
>> >> >
>> >> >> updates)
>> >> >> Missing Dependency: kernel-uname-r =
2.6.27.15-170.2.24.fc10.i686 is
>> >> >
>> >> >needed by
>> >> >
>> >> >> package
>> >> >
>> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
>> >> >
>> >> >> (rpmfusion-nonfree-updates)
>> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by
package
>> >> >
>> >> >strigi-
>> >> >
>> >> >> devel-0.5.11-1.fc10.i386 (fedora)
>> >> >>
>> >> >> I might be able to get a list of updates (if you need them)
not done
>> >> >
>> >> >from yum.
>> >> >
>> >> >> I use yumex most of the time.
>> >> >>
>> >> >> Thanks Dominick
>> >> >
>> >> >No that is fine, thanks. Which version of selinux-policy is
currently
>> >> >installed?
>> >> >
>> >> >I picked a few of the denials out of there and both were allowed
in
>> >> > the rawhide policy.
>> >> >
>> >> >This leads me to think that either you are running a old version
of
>> >> > the selinux-policy or that the fixes in rawhide policy have not
been
>> >> > pushed to Fedora 10 policy yet.
>> >>
>> >> I'll go for the latter as there isn't an update available.
>> >> [root@coyote Documents]# rpm -qa|grep policy
>> >> checkpolicy-2.0.16-3.fc10.i386
>> >> selinux-policy-3.5.13-18.fc10.noarch
>> >> policycoreutils-2.0.57-11.fc10.i386
>> >> policycoreutils-gui-2.0.57-11.fc10.i386
>> >> selinux-policy-targeted-3.5.13-18.fc10.noarch
>> >>
>> >> >I either case you can create custom policies to allow these
denials.
>> >> >
>> >> >A quick (and dirty) way is to "cat avc-denials.txt |
audit2allow -M
>> >> >mydenials; /usr/sbin/semodule -i mydenials.pp
>> >>
>> >> And that upchucks. It generates mydenials.pp, then:
>> >> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
>> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS
>> >> base. libsemanage.semanage_link_sandbox: Link packages failed
>> >> /usr/sbin/semodule: Failed!
>> >>
>> >> Looks like I may be missing something?
>> >
>> >Can you give me to output of sestatus?
This is after the reboot/relabel, using this /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enabeled
should read enforcing or permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
[root@coyote radeon]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: error (Success)
This looks wrong. see above
Policy version: 24
Policy from config file: targeted
and that looks completely fubar to me. But since its 'permissive',
consolekit is running, but sealert is popping up about every 30 seconds.
Its fussing about console-kit-history now. WTH?
You can easily disable setroubleshoot:
service setroubleshoot stop
( to disable it by default: chkconfig setroubleshoot off )
>> >you could try /usr/sbin/semodule -s targeted -i
mydenials.pp
>>
>> Fails exactly the same. Does selinux=disabled screw with that?
>
>Well you should have SELinux enabled when you install the module.
>Enable it first.
>
>> >You might also consider /usr/sbin/semodule -b base.pp (this should
>> >replace the base module)
ohhkayy
Turned it back on, rebooted, relabeled, and:
[root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
[root@coyote Documents]# /usr/sbin/semodule -b base.pp
/usr/sbin/semodule: Could not read file 'base.pp': No such file or directory
[root@coyote Documents]# locate base.pp
/etc/selinux/targeted/modules/active/base.pp
/usr/share/selinux/targeted/base.pp.bz2
[root@coyote targeted]# ls -l `locate base.pp`
-rw------- 1 root root 16771501 2009-02-26 18:38
/etc/selinux/targeted/modules/active/base.pp
-rw-r--r-- 1 root root 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2
So which one is right? I'm getting a headache. :(
the one in /etc is active. The one is /usr is used to generate it i
believe
So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and overwrote
the /etc/selinux/targeted/modules/active/base.pp with it, it was about half
the size. I think this is the same error again.
[root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
And that bunzip2 operation of course generated this:
[root@coyote Documents]# rpm -V `rpm -qa|grep targeted`
missing /usr/share/selinux/targeted/base.pp.bz2
So I did a bzip2 -k base.pp, and now rpm -V is happy again.
Sounds like I need to manually nuke whats in etc and force
rpm to re-install? Unforch, /var/cache/yum is devoid of any
F10 files, I just checked.
Your turn coach. :)
You could try:
rpm -Uvh --replacefiles --replacepkgs selinux-policy and
selinux-policy-targeted then make sure your base.pp is fresh (try
semodule -B)
>
>Not totally sure. No. First enable SELinux. Then try to install the
>policy module again. If that does not work consider replacing base.pp.
>
>The error suggests that base.pp is for MLS policy. This should not be
>the case.
>
>> >man semodule
>> >
>> >This looks like something that could have gone wrong during the upgrade.
>>
>> It won't be the first time. When I went from f6 to f8, lots of stuff was
>> busted, stuff the guru's said could not happen, but did to me. One whole
>> section of the install was skipped & I had to go pull in about 200
>> packages by hand.
>>
>> >It claims that a MLS base module is installed but you have installed
>> >selinux-policy-targeted
>>
>> And that is how I'm normally configured.
6:11 p.m.
New subject: f10 vs selinux again.
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
> >> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett
wrote:
> >> >> >> >> Greetings all;
> >> >> >> >>
> >> >> >> >> I have just upgraded then updated as much as
possible, an F8
> >> >> >
> >> >> >install to
> >> >> >
> >> >> >> >> F10. selinux is now denying ConsoleKit and
friends, and
> >> >> >> >> awstats.
> >> >> >
> >> >> >F10 will
> >> >> >
> >> >> >> >> run without console-kit-daemon I find, but I went
so far as to
> >> >> >
> >> >> >touch
> >> >> >
> >> >> >> >> /.autorelabel & reboot & leave it to
contemplate its sins for
> >> >> >> >> an
> >> >> >
> >> >> >hour or
> >> >> >
> >> >> >> >> so as there is nearly 2TB of drives here.
Didn't help.
> >> >> >> >>
> >> >> >> >> So Now I have selinux disabled, and everything it
working.
> >> >> >> >> Can
> >> >> >
> >> >> >this be
> >> >> >
> >> >> >> >> addressed?
> >> >> >> >
> >> >> >> >Can you show use the avc denials related to your
issues? avc
> >> >> >> > denials
> >> >> >
> >> >> >are
> >> >> >
> >> >> >> >sent to /var/log/audit/audit.log and can be retrieved
with the
> >> >> >
> >> >> >ausearch
> >> >> >
> >> >> >> >command. For example use: ausearch -m avc -ts today,
to retrieve
> >> >> >
> >> >> >today's
> >> >> >
> >> >> >> >avc denials.
> >> >> >>
> >> >> >> None today, I turned it off, yesterdays is attached.
> >> >> >>
> >> >> >> >You state that you updated as much as possible. What
did you not
> >> >> >
> >> >> >update?
> >> >> >
> >> >> >> About 70 packages are left, all the java stuff cuz
I've installed
> >> >> >> from
> >> >> >
> >> >> >Sun,
> >> >> >
> >> >> >> I've nuked fedora's firefox cuz I already had
3.0.6 (had to fix
> >> >> >> that
> >> >> >
> >> >> >up by
> >> >> >
> >> >> >> hand and some of the menus are still fubar) and anytime I
do a
> >> >> >> -devel,
> >> >> >
> >> >> >it
> >> >> >
> >> >> >> barfs over strigi. What the heck does that thing do
anywho?
> >> >> >>
> >> >> >> I also am not running the F10 kernel cuz I have to set
stakes and
> >> >> >> call
> >> >> >
> >> >> >a
> >> >> >
> >> >> >> surveyer to measure screen scrolling speed, so I'm
running
> >> >> >> 2.6.28.7
> >> >> >
> >> >> >and am
> >> >> >
> >> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees.
Now
> >> >> >> glxgears
> >> >> >
> >> >> >says
> >> >> >
> >> >> >> 275-300 fps and I can tolerate it. Anyway, from the
yumex
> >> >> >> screen:
> >> >> >>
> >> >> >> 14:05:14 : Error in Dependency Resolution
> >> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25
is
> >> >> >> needed
> >> >> >
> >> >> >by
> >> >> >
> >> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
> >> >> >
> >> >> >(rpmfusion-free-
> >> >> >
> >> >> >> updates)
> >> >> >> Missing Dependency: kernel-uname-r =
2.6.27.15-170.2.24.fc10.i686
> >> >> >> is
> >> >> >
> >> >> >needed by
> >> >> >
> >> >> >> package
> >> >> >
> >> >>
>kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
> >> >> >
> >> >> >> (rpmfusion-nonfree-updates)
> >> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed
by
> >> >> >> package
> >> >> >
> >> >> >strigi-
> >> >> >
> >> >> >> devel-0.5.11-1.fc10.i386 (fedora)
> >> >> >>
> >> >> >> I might be able to get a list of updates (if you need
them) not
> >> >> >> done
> >> >> >
> >> >> >from yum.
> >> >> >
> >> >> >> I use yumex most of the time.
> >> >> >>
> >> >> >> Thanks Dominick
> >> >> >
> >> >> >No that is fine, thanks. Which version of selinux-policy is
> >> >> > currently installed?
> >> >> >
> >> >> >I picked a few of the denials out of there and both were
allowed in
> >> >> > the rawhide policy.
> >> >> >
> >> >> >This leads me to think that either you are running a old
version of
> >> >> > the selinux-policy or that the fixes in rawhide policy have
not
> >> >> > been pushed to Fedora 10 policy yet.
> >> >>
> >> >> I'll go for the latter as there isn't an update available.
> >> >> [root@coyote Documents]# rpm -qa|grep policy
> >> >> checkpolicy-2.0.16-3.fc10.i386
> >> >> selinux-policy-3.5.13-18.fc10.noarch
> >> >> policycoreutils-2.0.57-11.fc10.i386
> >> >> policycoreutils-gui-2.0.57-11.fc10.i386
> >> >> selinux-policy-targeted-3.5.13-18.fc10.noarch
> >> >>
> >> >> >I either case you can create custom policies to allow these
> >> >> > denials.
> >> >> >
> >> >> >A quick (and dirty) way is to "cat avc-denials.txt |
audit2allow -M
> >> >> >mydenials; /usr/sbin/semodule -i mydenials.pp
> >> >>
> >> >> And that upchucks. It generates mydenials.pp, then:
> >> >> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
> >> >> libsepol.link_modules: Tried to link in a non-MLS module with an
MLS
> >> >> base. libsemanage.semanage_link_sandbox: Link packages failed
> >> >> /usr/sbin/semodule: Failed!
> >> >>
> >> >> Looks like I may be missing something?
> >> >
> >> >Can you give me to output of sestatus?
>
> This is after the reboot/relabel, using this /etc/selinux/config
>
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=enabeled
should read enforcing or permissive
> # SELINUXTYPE= can take one of these two values:
> # targeted - Targeted processes are protected,
> # mls - Multi Level Security protection.
> SELINUXTYPE=targeted
> # SETLOCALDEFS= Check local definition changes
> SETLOCALDEFS=0
>
> [root@coyote radeon]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: error (Success)
This looks wrong. see above
> Policy version: 24
> Policy from config file: targeted
>
> and that looks completely fubar to me. But since its 'permissive',
> consolekit is running, but sealert is popping up about every 30 seconds.
> Its fussing about console-kit-history now. WTH?
You can easily disable setroubleshoot:
service setroubleshoot stop
( to disable it by default: chkconfig setroubleshoot off )
> >> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp
> >>
> >> Fails exactly the same. Does selinux=disabled screw with that?
> >
> >Well you should have SELinux enabled when you install the module.
> >Enable it first.
> >
> >> >You might also consider /usr/sbin/semodule -b base.pp (this should
> >> >replace the base module)
>
> ohhkayy
>
> Turned it back on, rebooted, relabeled, and:
>
> [root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule: Failed!
>
> [root@coyote Documents]# /usr/sbin/semodule -b base.pp
> /usr/sbin/semodule: Could not read file 'base.pp': No such file or
> directory [root@coyote Documents]# locate base.pp
> /etc/selinux/targeted/modules/active/base.pp
> /usr/share/selinux/targeted/base.pp.bz2
>
> [root@coyote targeted]# ls -l `locate base.pp`
> -rw------- 1 root root 16771501 2009-02-26 18:38
> /etc/selinux/targeted/modules/active/base.pp -rw-r--r-- 1 root root
> 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2
>
> So which one is right? I'm getting a headache. :(
the one in /etc is active. The one is /usr is used to generate it i
believe
> So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and
> overwrote the /etc/selinux/targeted/modules/active/base.pp with it, it was
> about half the size. I think this is the same error again.
> [root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule: Failed!
>
> And that bunzip2 operation of course generated this:
> [root@coyote Documents]# rpm -V `rpm -qa|grep targeted`
> missing /usr/share/selinux/targeted/base.pp.bz2
>
> So I did a bzip2 -k base.pp, and now rpm -V is happy again.
>
> Sounds like I need to manually nuke whats in etc and force
> rpm to re-install? Unforch, /var/cache/yum is devoid of any
> F10 files, I just checked.
>
> Your turn coach. :)
You could try:
rpm -Uvh --replacefiles --replacepkgs selinux-policy
and
selinux-policy-targeted
then make sure your base.pp is fresh (try
semodule -B)
Where do I get the policy and policy-targeted rpms?
/var/cache/yum is empty of any F10 stuff.
How about I use the ones on the install dvd? Then if they are old, yumex can
replace them.
> >Not totally sure. No. First enable SELinux. Then try to
install the
> >policy module again. If that does not work consider replacing base.pp.
> >
> >The error suggests that base.pp is for MLS policy. This should not be
> >the case.
> >
> >> >man semodule
> >> >
> >> >This looks like something that could have gone wrong during the
> >> > upgrade.
I'll second that thought. Thanks Dominick
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
I either want less decadence or more chance to participate in it.
6:39 p.m.
New subject: f10 vs selinux again.
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
You could try:
rpm -Uvh --replacefiles --replacepkgs selinux-policy and
selinux-policy-targeted then make sure your base.pp is fresh (try
semodule -B)
Ok, did that, no problem with the selinux-policy rpm from the dvd, but when I do the same
with selinux-policy-
targeted, I'm right back to square one:
[root@coyote Packages]# rpm -Uvh --replacefiles --replacepkgs
selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm
Preparing... ########################################### [100%]
1:selinux-policy-targeted########################################### [100%]
libsepol.print_missing_requirements: pki's global requirements were not met:
type/attribute pki_kra_port_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
A somewhat different error message that might be a bit more enlightening to
someone who actually knows what it means, but its swahili to me. :)
So, should I nuke the contents of /etc/selinux/* and repeat the rpm commands?
Your turn, Coach. :)
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Lightning strikes.
5:18 a.m.
New subject: f10 vs selinux again.
On Sat, 2009-02-28 at 19:39 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
>
>You could try:
>rpm -Uvh --replacefiles --replacepkgs selinux-policy and
>selinux-policy-targeted then make sure your base.pp is fresh (try
>semodule -B)
Ok, did that, no problem with the selinux-policy rpm from the dvd, but when I do the same
with selinux-policy-
targeted, I'm right back to square one:
[root@coyote Packages]# rpm -Uvh --replacefiles --replacepkgs
selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm
Preparing... ########################################### [100%]
1:selinux-policy-targeted########################################### [100%]
libsepol.print_missing_requirements: pki's global requirements were not met:
type/attribute pki_kra_port_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
A somewhat different error message that might be a bit more enlightening to
someone who actually knows what it means, but its swahili to me. :)
So, should I nuke the contents of /etc/selinux/* and repeat the rpm commands?
Your turn, Coach. :)
You can get the latest packages from koji.fedoraproject.org/koji or your
local fedora mirror.
The error above looks like a bug in policy.
Make sure that if you install the latest selinux policy for f10 from
koji, that you install both: selinux-policy as well as
selinux-policy-targeted.
10:54 a.m.
New subject: f10 vs selinux again.
On Sunday 01 March 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 19:39 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
> >
> >You could try:
> >rpm -Uvh --replacefiles --replacepkgs selinux-policy and
> >selinux-policy-targeted then make sure your base.pp is fresh (try
> >semodule -B)
>
> Ok, did that, no problem with the selinux-policy rpm from the dvd, but
> when I do the same with selinux-policy- targeted, I'm right back to square
> one:
>
> [root@coyote Packages]# rpm -Uvh --replacefiles --replacepkgs
> selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm Preparing...
> ########################################### [100%]
> 1:selinux-policy-targeted###########################################
> [100%] libsepol.print_missing_requirements: pki's global requirements were
> not met: type/attribute pki_kra_port_t libsemanage.semanage_link_sandbox:
> Link packages failed
> semodule: Failed!
>
> A somewhat different error message that might be a bit more enlightening
> to someone who actually knows what it means, but its swahili to me. :)
>
> So, should I nuke the contents of /etc/selinux/* and repeat the rpm
> commands?
>
> Your turn, Coach. :)
You can get the latest packages from koji.fedoraproject.org/koji or your
local fedora mirror.
The error above looks like a bug in policy.
Make sure that if you install the latest selinux policy for f10 from
koji, that you install both: selinux-policy as well as
selinux-policy-targeted.
I found late yesterday that the updates repo in my yum-repos.d was disabled.
Enabling that & pulling in several hundred more updates, I have not seen
another alert since I installed those updated ones. No idea where they came
from, just some yum mirror I have to assume lacking more info.
Maybe we can lay this one to rest, and I can go back to "enforcing" since its
permissive due to a miss-spelling of enforcing in the config. Sorry for the
noise, my apologies.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Everything should be made as simple as possible, but not simpler.
-- Albert Einstein
5534
days inactive
5535
days old
selinux@lists.fedoraproject.org
10 comments
3 participants
participants (3)
-
Dominick Grift -
Gene Heskett -
Joe Nall